"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about managing data, navigating cybersecurity regulations, and securing accounts.
Cloud Chaos: Dancing Around Compliance
Dear Hotline: Faculty keep storing student data in every cloud service known to humankind. I have policies. I have training. I have begged. I fear my next step is interpretive dance. What works when policy fatigue meets academic creative expression?
Practicing My Footwork
Dear Footwork: In the early 2000s, my team installed the institution's first intrusion prevention system (IPS). It had this nifty report that enumerated cloud services in use on the network. It was adorable listening to the vendor describe how the system would enable us to identify and block the use of unsanctioned cloud services—until the report showed something like 15,000 services in use. I can only imagine what that number would be today.
A convergence of pressures creates this situation. New services become available every day, and the campus community races to try them. Novelty is a powerful drug. For faculty, the border between their personal and professional lives is often quite porous. I've heard some say they couldn't use the campus-provided calendar solution because it wouldn't allow them to have a joint calendar with their family. Asking faculty to use an institutional clone of the same product they already use personally seems nonsensical.
The canonical answer to this problem, which you and everyone else have been following since Pebbles Flintstone enrolled in kindergarten, is the triumvirate of policy, education, and training. So, you're dancing on a well-worn floor. Obviously, you could go down the path of additional technology (such as data loss prevention tools) or more punitive actions for violations. But those tend to be theatrical, especially since no one is dismissing faculty members for mishandling data. Neither of these approaches would be as broadly effective as you might hope.
I suggest continuing your existing program, but start by quantifying risk. You may have reached the point of diminishing returns, where the effort required simply isn't worth your time compared to other, more pressing risks. Sometimes it's easy to lose sight of the fact that you'll never get 100 percent compliance. Once you can measure the scale of the remaining challenge, work with your governance committees to establish an acceptable threshold for the remaining risk. Once they sign off on "sufficient," the remaining challenge is no longer yours alone.
If more work is needed, try making it someone else's problem. No, I don't mean delegation. Rather, approach your faculty senate with an overview of the issue and get their input on how to tackle it. A faculty town hall where you lay out the scope of the challenge and the scale of the remaining risk forces you to crisply articulate the problem. It may also open the door to more effective communication. The conversation can generate ownership and empathy. Furthermore, student information is merely one example of the more general issue of sensitive data in unsanctioned services. Faculty members are smart. If you draw the connection between student information and their personal information, your argument takes on new valence for them. If all else fails, stay limber; you don't want to pull a muscle performing that interpretive dance.
Baseline Blues: Navigating Conflicting Cybersecurity Regulations
Dear Hotline: We've heard it before. There is no cybersecurity industry regulation for higher education. Should there be a shared cybersecurity baseline (law, regulation, whatever) across higher education institutions, and who should define or enforce it?
Policy Stack Overflow
Dear Overflow: I view this question as a setup, since almost any answer I give will alienate someone, and I may need to hide in your basement until things cool down. I think what you're hoping for is a simple answer like, "Yes, let's have one shared baseline." But the reality is that higher education does have cybersecurity regulations. We aren't under regulated; we are over regulated, a mishigas of inconsistent, contradictory standards. Institutions juggle everything from the Health Insurance Portability and Accountability Act (HIPAA) and Cybersecurity Maturity Model Certification (CMMC) to the Gramm-Leach-Bliley Act (GLBA), state laws, and agency-specific requirements tied to grants and data-sharing agreements. The kicker is that most institutions must comply with multiple regulatory regimes simultaneously, with different requirements applying to different activities.
Our campuses are more like small cities than businesses, hosting wildly different activities under one jurisdiction. It's hard to imagine a single baseline that sensibly applies to both a nuclear research lab and a campus bookstore. And, of course, it wouldn't apply to functions already governed by their own highly detailed regulatory regimes. Any shared baseline would serve mostly as cybersecurity caulking, filling obvious gaps and not much more.
Privately, many cybersecurity professionals would still welcome a common set of minimum requirements. Why? Because compliance is far easier to justify than "doing the right thing." And while I've been poo-pooing the practical value of a universal baseline, its absence leaves institutions exposed. If nature abhors a vacuum, regulators treat it as an invitation. I'd much rather see the higher education community come together to adopt even a lightweight framework—likely a curated subset of existing National Institute of Standards and Technology (NIST) work—than wait for policymakers, unfamiliar with the complexity and eccentricities of higher education, to impose something far less workable.
As to your question about definition and enforcement, the definition is easy; but, as is commonly said, a policy not enforced is a policy abandoned. I have no doubt that organizing a community-based group to propose a small set of possible universal baselines wouldn't be too difficult. But in the absence of a federal regulatory body, I fear we lack the organization or the will for enforcement. Perhaps someone will propose a short workshop on this topic for the 2026 EDUCAUSE Cybersecurity and Privacy Professionals Conference in Anaheim, California.
Login Limbo: Ending the Era of Eternal Accounts
Dear Hotline: We onboard hundreds of short-term instructors and student workers every semester. Offboarding is. . . more of a suggestion. What is a gentle but effective way to ask HR to stop letting accounts live forever?
Tired of Being AOL
Dear Tired: I'm so happy to get a question in the identity management (IM) space. At many institutions, IM is still treated as just another piece of infrastructure rather than as the fundamental cybersecurity concern it is. Everywhere I've worked, we've wrestled with this issue. The arguments supporting this practice go something like this: Short-term instructors come and go, and they often require access before they formally start working so they can begin loading course materials in the learning management system. They also need access after the end of the term to finalize grades and work with a few straggling students. So, HR sees terminating and restarting their accounts as too complex. Students present a different issue: They take jobs in a variety of departments, sometimes outside their academic unit, and they may hold multiple jobs at the same time. Plus, if they're not given separate employee accounts, their student accounts are often allowed a grace period after leaving the institution, as they need access to course artifacts. It's not uncommon for that grace period to be a full year or longer.
Of course, the right answer is to improve your identity and access management (IAM) systems to enhance onboarding and offboarding processes and provide greater granularity and flexibility. Couple this with a comprehensive account life cycle policy developed by your identity governance committee, and your problem disappears. But identity systems are notoriously difficult to update, and from your question, I'm guessing you haven't started down the path of identity governance yet. So rather than dancing with HR, let's focus on making the case for identity governance and raising the visibility of your identity systems.
I recommend approaching this in two dimensions. First, do the math. When I encountered this issue previously, I produced a report on the age of existing Active Directory accounts and found thousands that hadn't been used for more than a decade. Our core person database had active accounts that were nearly twenty-five years old, and almost all of them were for people who were no longer studying or working at the institution. What you're looking for is not just the age of the account but, more critically, the last time it was used to access an institutional system. In higher education, we tend to suffer from long-memory syndrome. We remember the edge case from fifteen years ago and use it to justify existing practices. You're trying to show that the bulk of your users operate within what are probably perfectly reasonable timeframes. That data can help you refine what perfectly reasonable means for your community.
Second, frame the problem in HR language. Don't lead with cybersecurity risk; lead with compliance, liability, and process clarity. HR doesn't want to be the owner of orphaned accounts any more than you want to manage them. Show how ambiguous offboarding exposes the institution legally, how it complicates audits, how it increases the workload for HR, and how an evidence-based life cycle policy reduces exceptions rather than increases them. Make it clear that this isn't a security project; it's process hygiene.
Once you've presented the data and reframed the issue, position identity governance as a joint responsibility rather than a turf war. Offer HR visibility into the data you've collected. Suggest a shared working group to define life cycle states. Bring one clean, digestible slide showing the number of accounts that haven't been touched in years. Nothing motivates collaboration like the realization that people who left during the Bush administration still have working credentials.
Once HR sees that this isn't about taking control away from them but about giving them cleaner processes and fewer messes, they'll be more willing partners. "Gentle but effective" usually looks like this: Don't ask HR to fix offboarding; ask them to help define an identity framework that makes offboarding trivial.
Have a cybersecurity or privacy dilemma you'd like Mike to unpack? Submit your question through our anonymous form.
Michael Corn is an Executive Strategic Consultant at Vantage Technology Consulting Group.
© 2025 Michael Corn. The content of this work is licensed under a Creative Commons BY-NC-SA 4.0 International License.